b"September 2008\nReport No. AUD-08-017\n\n\nFDIC\xe2\x80\x99s Controls Over Contractor\nInvoice Approval, Payment, and\nPosting to the General Ledger\n\n\n\n\n            AUDIT REPORT\n\x0c                                                            Report No. AUD-08-017                                            September 2008\n\n                                                            FDIC\xe2\x80\x99s Controls Over Contractor Invoice\n                                                            Approval, Payment, and Posting to the\n            Federal Deposit Insurance Corporation           General Ledger\nWhy We Did The Audit\n                                                            Audit Results\nOf the FDIC\xe2\x80\x99s $992 million in calendar-year 2007\noperating expenses, over $250 million represents            The FDIC has established and implemented generally adequate controls over\namounts paid for contracted goods and services.             contractor invoice approval, payment, and posting to the general ledger. The\nThrough June 2008, $121 million of $495 million in          NFE provides an audit trail from the authorized invoice approval through posting\noperating expenses was for contractor payments, part of     of the payment transactions. Additionally, the FDIC has enhanced its Contract\nwhich was paid based on contractor invoices.                Oversight Management Program to ensure that Oversight Managers (OM) receive\n                                                            and complete training regarding their roles in independently reviewing and\nThe audit objective was to assess the FDIC\xe2\x80\x99s controls       approving contractor invoices for payment.\nover contractor invoice approval, payment, and posting\nto the General Ledger. Our review included a sample of      Based on our review of the 30 sampled contractor invoices, representing total\n30 of 1,148 FDIC invoices, representing $5.7 million in     FDIC expenditures of $5.7 million, we found that additional control activities\ncontractor invoice payments that totaled $37.5 million      could improve the OM\xe2\x80\x99s review and approval procedures as described below.\nduring the period October 2007 through March 2008.\n                                                                \xe2\x80\xa2    Segregation of duties was lacking for five invoices, representing\n                                                                     $239,300 in payments. The same OM prepared and approved two\nBackground                                                           invoices. Another OM submitted the three other invoices directly to\n                                                                     DOF for the contractors and then approved the invoices for payment.\nThe General Ledger is the central component of the New               Properly designed control activities help ensure that no one individual\nFinancial Environment (NFE), the FDIC\xe2\x80\x99s financial                    can initiate and approve a transaction. Maintaining the segregation of\nmanagement system. The General Ledger provides                       duties in the invoice payment process would help reduce the risk of\naccounting, reporting, and decision-making information               errors or unauthorized transactions.\nfor the FDIC. The FDIC\xe2\x80\x99s Division of Finance (DOF) is\nresponsible for maintaining the General Ledger,                 \xe2\x80\xa2    Three of 15 OMs, who approved 3 invoices with a total value of\nreceiving contractor invoices, verifying payment                     $213,150, did not have confirmation letters from Contracting Officers,\napprovals, issuing disbursements, and posting                        authorizing the OMs to perform contractor oversight responsibilities,\ntransactions to the General Ledger.                                  including reviewing and approving invoices for payments. Also, two\n                                                                     OMs who had not completed required training approved three invoices\nThe audit focused on the FDIC\xe2\x80\x99s control activities                   totaling $130,600. Confirmation letters and training help to ensure that\nintended to provide reasonable assurance that the FDIC               OMs correctly review and approve invoice payments in accordance with\n(1) meets management directives, such as budget                      FDIC policies.\nexecution; (2) accomplishes control objectives, such as\nefficient use of FDIC resources; and (3) mitigates risk.        \xe2\x80\xa2    The CEFile did not contain 26 out of 30 invoices sampled, representing\nControl activities for invoice processing include the                about $1.7 million out of $5.7 million in contractor payments. OMs did\nsegregation of the receiving, invoicing, and purchasing              not consistently follow the FDIC\xe2\x80\x99s acquisition policy on documenting\nfunctions; goods and services receipt verification;                  these contract activities in the CEFile. Timely inclusion of invoices in\nmanagerial authorizations; independent review before                 the CEFile ensures accurate and complete records of contract activities.\npayment; and pre-payment procedures for Prompt\nPayment Act compliance and duplicate payment                Strengthening controls in these areas will help in ensuring the effectiveness and\ndetection to ensure that only valid transactions are        efficiency of operations, reliability of financial reporting, and compliance with\nauthorized and approved.                                    FDIC policies and procedures.\n\nThe Contractor Electronic File (CEFile) is the FDIC\xe2\x80\x99s\nofficial system of records for contract activities,         Recommendations and Management Response\nincluding invoice approval decisions as part of contract\noversight management. The FDIC\xe2\x80\x99s Acquisition Policy         We recommended DOF and DOA ensure the segregation of duties for invoice\nManual and guidance from the Division of                    preparation and approval. We also recommended DOA ensure that the OMs\nAdministration\xe2\x80\x99s (DOA) Acquisition Services Branch\n                                                            receive confirmation letters; complete required training; and maintain current,\ndescribe the oversight management responsibilities          accurate, and complete documentation in the CEFile.\nrelated to invoices. General Ledger procedures related to\noperating expenses are defined in the FDIC\xe2\x80\x99s Operating\n                                                            DOA and DOF concurred with our recommendations and planned to take\nExpenses Process Memorandum and the DOF\xe2\x80\x99s                   responsive actions.\nAccounts Payable Operating Procedures Manual.\n\n\n\nTo view the full report, go to www.fdicig.gov/2008reports.asp\n\x0cContents                                                           Page\n\n\nBACKGROUND                                                           2\n  Guidance and Controls Related to Contractor Payments               2\n\nRESULTS OF AUDIT                                                     5\n\nPAYMENT PROCESSING AND GENERAL LEDGER POSTING                        6\n\nSEGREGATION OF DUTIES FOR INVOICE APPROVAL                           6\n  Recommendation Related to Segregation of Duties for Invoice        7\n  Approval\n\nOM CONFIRMATION LETTERS AND TRAINING                                 8\n  Recommendation Related to OM Confirmation Letters and Training     8\n\n\nCONTRACT DOCUMENTATION                                               8\n  Recommendation Related to Contract Documentation                   9\n\n\nCORPORATION COMMENTS AND OIG EVALUATION                              9\n\n\nAPPENDICES\n  1. OBJECTIVE, SCOPE, AND METHODOLOGY                              11\n  2. SAMPLED INVOICES                                               16\n  3. CORPORATION COMMENTS                                           17\n  4. MANAGEMENT RESPONSE TO RECOMMENDATIONS                         20\n  5. ACRONYMS USED IN THE REPORT                                    21\n\x0cFederal Deposit Insurance Corporation                                                           Office of Audits\n3501 Fairfax Drive, Arlington, VA 22226                                            Office of Inspector General\n\n\nDATE:                                     September 22, 2008\n\nMEMORANDUM TO:                            Bret D. Edwards\n                                          Director, Division of Finance\n\n                                          Arleas Upton Kea\n                                          Director, Division of Administration\n\n                                          /Signed/\nFROM:                                     Russell A. Rau\n                                          Assistant Inspector General for Audits\n\nSUBJECT:                                  FDIC\xe2\x80\x99s Controls Over Contractor Invoice Approval,\n                                          Payment, and Posting to the General Ledger\n                                          (Report No. AUD-08-017)\n\n\nThis report presents the results of our audit of the FDIC\xe2\x80\x99s controls over contractor invoice\napproval, payment, and posting to the General Ledger (G/L). The G/L is the central\ncomponent of the New Financial Environment (NFE)\xe2\x80\x94the FDIC\xe2\x80\x99s financial management\nsystem. The G/L provides accounting, reporting, and decision-making information for\nthe FDIC. The FDIC\xe2\x80\x99s Division of Finance (DOF) is responsible for maintaining the\nG/L, receiving contractor invoices, verifying payment approvals, issuing disbursements\nand posting transactions to the G/L. In addition, the Division of Administration\xe2\x80\x99s (DOA)\nAcquisition Services Branch (ASB) is responsible for developing all contracting policies\nand procedures and communicating and implementing those policies and procedures\nthroughout the FDIC.\n\nThe audit objective was to assess the FDIC\xe2\x80\x99s controls over contractor invoice approval,\npayment, and posting to the G/L. The audit focused on the FDIC\xe2\x80\x99s control activities\nintended to provide reasonable assurance that the FDIC (1) meets management directives,\nsuch as budget execution; (2) accomplishes control objectives, such as efficient use of\nFDIC resources; and (3) mitigates risk. Control activities for invoice processing include\nthe segregation of the receiving, invoicing, and purchasing functions; goods and services\nreceipt verification; managerial authorizations; independent review before payment; and\npre-payment procedures for Prompt Payment Act (PPA) 1 compliance and duplicate\npayment detection to ensure that only valid transactions are authorized and approved.\n\n\n1\n The PPA and its implementing regulations from the U.S. Office of Management and Budget, (5 Code of\nFederal Regulations (C.F.R.) Part 1315) require that agencies, among other things, pay interest to\ncontractors if contractor invoices are not paid in a timely manner, for example, within the period\nestablished by the contract. The FDIC, in its corporate capacity, is an agency for purposes of the PPA.\nAdditional information is contained in Appendix 1 under the Compliance with Laws and Regulations\nsection.\n\x0c      We conducted this performance audit in accordance with generally accepted government\n      auditing standards. Appendix 1 of this report discusses our audit objective, scope, and\n      methodology in detail.\n\n\nBACKGROUND\n\n      Of the FDIC\xe2\x80\x99s $992 million in calendar-year 2007 operating expenses, over $250 million\n      represents amounts paid for contracted goods and services. For the 6 months ended June\n      2008, $121 million of $495 million in operating expenses was for contractor payments.\n      Part of the $121 million was paid based on contractor invoices. Our review included a\n      sample of 30 of 1,148 FDIC invoices, representing $5.7 million of the total $37.5 million\n      in contractor payments from October 2007 through March 2008. The FDIC had assigned\n      15 Oversight Managers (OM) the responsibility for the review and approval of the 30\n      sampled invoices (see Appendix 2), representing 18 contractors.\n\n\nGuidance and Controls Related to Contractor Payments\n\n      The FDIC has a number of policies and procedures related to controls over the contractor\n      invoice payment process as described below.\n\n      FDIC Circular 4010.3. FDIC Circular 4010.3, FDIC Enterprise Risk Management\n      Program, adopted internal control standards prescribed in the Government Accountability\n      Office (GAO) publication, Standards for Internal Control in the Federal Government.\n      These standards apply to all operations (programmatic, financial, and compliance) and are\n      intended to ensure the effectiveness and efficiency of operation, reliability of financial\n      reporting, and compliance with applicable laws and regulations. Circular 4010.3 requires\n      management to develop and implement controls to ensure that management directives are\n      carried out and to provide reasonable assurance that controls are sufficient to minimize\n      exposure to waste, fraud, and mismanagement.\n\n      Key control activities related to contractor payments described in Circular 4010.3 include:\n\n          \xe2\x80\xa2   Segregation of Duties. Key duties and responsibilities shall be divided among\n              different individuals such that no one individual should control all key aspects of a\n              transaction to reduce the risk of error or fraud.\n\n          \xe2\x80\xa2   Proper Execution of Transactions and Events. Transactions and other significant\n              events shall be authorized and executed only by persons acting within the scope of\n              their authority.\n\n          \xe2\x80\xa2   Appropriate Documentation of Transactions and Internal Controls. Internal\n              controls, all transactions, and other significant events shall be clearly\n              documented. This helps to ensure that payment transactions are complete,\n\n\n                                                   2\n\x0c        accurate, and recorded in a timely manner. Documentation shall be readily\n        available for examination.\n\nThe circular also requires management to perform monitoring activities to assess the\nquality of performance over time and the effectiveness of controls. Monitoring activities\ninclude routine management and supervisory actions; transaction comparisons and\nreconciliations; other actions taken in the course of normal operations; as well as separate\nand discrete control evaluations, including internal self-assessments and external reviews.\n\n\nThe Acquisition Policy Manual. The FDIC\xe2\x80\x99s Acquisition Policy Manual (APM)\nprovides that contract OMs are, among other things, responsible for reviewing and\napproving invoices promptly for payment to avoid interest on late payments and\nensuring that the goods or services contracted for are received and within the scope of the\ncontract. The APM requires that the Contracting Officer provide the program-appointed\nOM with a Letter of Oversight Manager Confirmation, describing the OM\xe2\x80\x99s authority\nand responsibilities. Prior to receiving the letter of confirmation, OMs are required to\ncomplete training that includes, among other things, the OM role in contract\nadministration.\n\n\nInterim Acquisition Policy No. 2004-5, CEFile, dated August 10, 2004. The policy\nstates that the Contract Electronic File (CEFile) is the official contract file of record for\nthe ASB. The CEFile is a Web-based template on the FDICnet used to create official\ncontract files and electronically organize and store all pertinent contract file\ndocumentation such as the requirements package, contract, contract modifications, and\nOM\xe2\x80\x99s contract-related records. The policy memorandum states that the Contracting\nOfficers and OMs are responsible to ensure that the CEFile is current, accurate, and\ncomplete. The documentation in the file shall be sufficient to (a) provide a complete\nbackground as a basis for informed decisions at each step in the acquisition process;\n(b) support actions taken; (c) provide information for reviews and investigations; and\n(d) furnish essential facts in the event of litigation or congressional inquiries.\n\n\nInterim Acquisition Policy No. 2007-02, Establishment of the FDIC Contract\nOversight Management Program, dated April 12, 2007. The policy memorandum\nformally establishes the FDIC Contract Oversight Management Program and states that\nsupervisors must ensure that individuals considered for appointment as OMs obtain\ncertain competencies needed to effectively and efficiently perform delegated contract\nmanagement duties. On May 11, 2007, ASB notified OMs regarding mandatory\nclassroom training.\n\n\nOperating Expense Process Memorandum. DOF\xe2\x80\x99s Disbursement Operations Unit\n(DOU) processes approved invoices for goods and services procured by the FDIC. The\nFDIC\xe2\x80\x99s Operating Expense Process Memorandum, for calendar year 2007, defines the\n\n\n\n                                               3\n\x0cG/L procedures related to operating expenses, which are included in the Operating\nExpense line item on the FDIC\xe2\x80\x99s financial statements. The process memorandum\nidentifies key events and describes the controls provided at each stage as summarized\nbelow:\n\n    \xe2\x80\xa2   DOU is responsible for the initial receipt and date stamping of invoices and input\n        of information into the NFE Accounts Payable Module. DOU is also responsible\n        for evaluating invoices to ensure compliance with the PPA late payment\n        provisions.\n\n    \xe2\x80\xa2   DOU reviews invoice information to verify that it complies with the FDIC-\n        designed vendor invoice format that is acceptable for NFE billing. The\n        standardized invoice form requires vendors to provide mandatory elements, such\n        as the contract/purchase order number, labor categories, hourly rates, period being\n        invoiced, and applicable backup documentation, to determine, among other\n        things, the appropriate fund and expense accounts in the G/L for authorizing the\n        payment transaction. Once approved by DOU, the invoice is routed in NFE to the\n        OM for final approval.\n\n    \xe2\x80\xa2   The OM is responsible for reviewing the invoice in accordance with ASB\n        requirements, including the APM. The review is intended to ensure that the\n        invoice is correct and complies with the terms and conditions of the contract and\n        the payments in process do not exceed the specified contract purchase order or\n        task order contract limits and expenditure authority. The Invoice Review\n        Checklist in the APM provides the OM guidelines for reviewing contractor\n        invoices. If the invoice and purchase order are correct, the OM approves the\n        invoice in NFE.\n\n    \xe2\x80\xa2   Once the OM approves the invoice in NFE, payments are generally made through\n        an Electronic Funds Transfer (EFT). 2 DOU approves the daily electronic payment\n        transactions on-line. EFT payment files are sent to the disbursing bank upon\n        e-mail notification from DOU to DOF\xe2\x80\x99s NFE Servicing and Control Unit\n        (NSCU). The NFE Accounts Payable Module then records the journal entries for\n        the payment transactions and through its system interface with the G/L,\n        automatically posts these transactions to the appropriate fund and expense\n        accounts in the G/L. The Accounts Payable Module has built-in edits to prevent\n        duplicate payments. In addition, daily reports are run and reviewed by DOU to\n        detect suspect invoices that could result in duplicate payments.\n\nThe GAO, as part of the annual audit of the FDIC\xe2\x80\x99s financial statements, assesses the\ncontrols for contractor invoice payment processing and G/L posting activities. GAO\xe2\x80\x99s\naudit work includes testing and tracing of contractor invoice payments from approval\nthrough disbursements and G/L postings.\n\n\n2\n EFT is the electronic movement of funds from one bank account to another, by means of electronically\ncommunicated payment instructions.\n\n\n                                                   4\n\x0c    The DOF Accounts Payable Operating Procedures Manual, November 2006. DOF\n    maintains this manual to document activities and procedures related to the FDIC\xe2\x80\x99s\n    Accounts Payable function. The topics addressed in the Manual include:\n\n       \xe2\x80\xa2   Reviewing an Accounts Payable invoice before processing\n       \xe2\x80\xa2   Accounts Payable pay-cycle review and approval\n       \xe2\x80\xa2   Auditing large dollar Accounts Payable payments\n       \xe2\x80\xa2   Reviewing and monitoring for compliance with the PPA\n       \xe2\x80\xa2   Reviewing and monitoring for duplicate payments\n       \xe2\x80\xa2   Accounts Payable voucher routing error\n       \xe2\x80\xa2   Accounts Payable voucher override/matching procedure\n       \xe2\x80\xa2   Scanning and attaching an invoice voucher\n       \xe2\x80\xa2   Accounts Payable Electronic Invoice Processing\n       \xe2\x80\xa2   Processing Accounts Payable Expense Adjustment Voucher\n\n\nRESULTS OF AUDIT\n\n    The FDIC has established and implemented generally adequate controls over contractor\n    invoice approval, payment, and posting to the G/L. The NFE provides an audit trail from\n    the authorized invoice approval through posting of the payment transactions to the G/L.\n    Payment transactions for the 30 sampled invoices were accurately posted to the correct\n    fund and expense accounts in the G/L. Additionally, the FDIC has enhanced its Contract\n    Oversight Management Program to ensure that OMs receive and complete training\n    regarding their roles in reviewing and approving contractor invoices for payment.\n\n    However, based on our review of the 30 sampled contractor invoices, representing total\n    FDIC expenditures of $5.7 million, we found that enhanced control activities could\n    improve the OM\xe2\x80\x99s review and approval procedures as described below.\n\n       \xe2\x80\xa2   Segregation of duties was lacking for five invoices, representing $239,300 in\n           contractor payments. The same OM prepared and approved two invoices.\n           Another OM submitted the three other invoices directly to DOF for the\n           contractors and then approved those invoices for payment. Properly designed\n           control activities help ensure that no one individual can initiate and approve a\n           transaction. Maintaining the segregation of duties in the invoice payment process\n           would help to reduce the risk of errors or unauthorized transactions.\n\n       \xe2\x80\xa2   Three of 15 OMs, who approved 3 invoices, with a total value of $213,150, did\n           not have confirmation letters from Contracting Officers, authorizing the OMs to\n           perform contractor oversight responsibilities, including reviewing and approving\n           invoices for payments. Also, two OMs, who had not completed the required\n           training, approved three invoices totaling $130,600. Confirmation letters and\n           training help to ensure that OMs correctly review and approve invoice payments\n           in accordance with FDIC policies.\n\n\n\n                                               5\n\x0c        \xe2\x80\xa2   The CEFile did not contain 26 out of the 30 invoices sampled, which represented\n            about $1.7 million out of the $5.7 million in contractor payments. OMs did not\n            consistently follow the FDIC\xe2\x80\x99s acquisition policy regarding documenting these\n            contract activities in the CEFile. Timely inclusion of invoices in the CEFile\n            ensures current, accurate, and complete records of contract activities.\n\n    Strengthening controls in the areas of the segregation of duties, OM training, and contract\n    file maintenance will help in ensuring the effectiveness and efficiency of operations,\n    reliability of financial reporting, and compliance with FDIC policies and procedures.\n\n\nPAYMENT PROCESSING AND GENERAL LEDGER POSTING\n\n    We found that the FDIC has established and implemented adequate controls over the\n    contractor invoice payment function and corresponding posting to the G/L. The NFE\n    provides an audit trail from the authorized invoice approval through posting the payment\n    transactions. We obtained documentation from DOF and traced the payment transactions\n    of the 30 sampled invoices from NFE approval to disbursement and recording in the G/L.\n    DOU approved the electronic payment transactions for the sampled invoices. After\n    approval, DOU notified NSCU via email that the payment transactions were ready for\n    processing. NSCU sent these payment transactions to the appropriate disbursement\n    banks, and the automated interface in the Accounts Payable Module posted the payment\n    transactions to the correct funds and expense accounts in the G/L.\n\n    We were able to verify that the 30 contractor invoices in our sample were paid in the\n    correct amount invoiced and processed in a timely manner within the limits of the PPA\n    late payment provisions. In addition, the edit checks in the Accounts Payable Module for\n    duplicate payments and the DOU procedures for daily monitoring of invoices worked as\n    intended for the sampled invoices. There were no duplicate payments for any of the 30\n    sampled invoices.\n\n    Based on the results of our audit work, we are not making recommendations in these\n    areas. However, we found that management attention is warranted in the areas of the\n    segregation of duties, OM training, and contract file maintenance as discussed below.\n\n\nSEGREGATION OF DUTIES FOR INVOICE APPROVAL\n\n    We found that 5 of the 30 invoices, representing $239,300 in payments, were approved\n    without an adequate segregation of duties. One OM prepared, 3 submitted, and approved\n    two invoices, while another OM submitted three invoices directly to DOF for the\n    contractors and then approved them for payment processing. Having one individual\n\n    3\n     Invoice preparation involved transferring billing data received from the contractor, Benefits Allocation\n    Specialists (BAS), and submitting a supplemental cover page with contract information and cost allocation\n    information into the invoice format required by DOF. The FDIC contracted with BAS to administer certain\n    FDIC employee benefits programs and maintain FDIC employees\xe2\x80\x99 benefits enrollment information.\n\n\n                                                       6\n\x0c      initiate and approve a transaction increases the risk of errors and unauthorized payment\n      transactions. This control weakness occurred because management did not ensure\n      compliance with the segregation of duties requirement for invoice preparation,\n      submission, and approval in accordance with FDIC Circular 4010.3.\n\n      The two invoices prepared and approved by the same OM were for certain contracted\n      insurance providers for the FDIC\xe2\x80\x99s employee health benefits programs. The contractors\n      did not have access to certain information needed for billing purposes; 4 therefore, the OM\n      transferred the billing data from BAS and added the required contract and cost allocation\n      information on the invoices submitted to DOU for payment processing. After receiving\n      notification, through the NFE, that the invoices needed approval, the same OM approved\n      the invoices for payment. Having one individual with the capability to prepare, submit,\n      and approve an invoice increases the risk of errors and could result in unauthorized\n      payment transactions.\n\n      The three remaining invoices, which were for expert consulting services, were also\n      submitted and approved without an adequate segregation of duties. The OM for the\n      consulting services contracts received the invoices from the contractor, submitted them to\n      DOF, and approved the invoices for payment. 5 The Operating Expense Process\n      Memorandum states that the contractor, not the OM, should submit invoices to DOU.\n      The lack of segregation of duties increases the risk of errors or unauthorized payment\n      transactions.\n\n      FDIC Circular 4010.3 states that key duties and responsibilities shall be divided among\n      different individuals to reduce the risk of error or fraud. Maintaining appropriate\n      segregation of duties in the invoice payment process is key to safeguarding FDIC\n      resources.\n\n\nRecommendation Related to Segregation of Duties for Invoice Approval\n\n      We recommend that the Director, DOA, work with the Director, DOF, to:\n\n      (1) Strengthen controls to ensure segregation of duties for invoice preparation,\n      submission, and approval.\n\n\n\n\n      4\n        The BAS database contains sensitive personnel enrollment information such as Social Security numbers,\n      addresses, family members, and their Social Security numbers. The contracted insurance providers do not\n      have direct access to the BAS database.\n      5\n        The contract for one invoice and a similar contract for two invoices did not specify where to send the\n      invoices. This may result in the need for the contractors to contact the OM for further invoice submission\n      instruction.\n\n\n                                                           7\n\x0cOM CONFIRMATION LETTERS AND TRAINING\n\n      Three of 15 OMs, who approved 3 of the 30 sampled invoices did not have confirmation\n      letters from Contracting Officers, authorizing them to perform OM responsibilities,\n      including reviewing and approving invoices for payments. The three invoices totaled\n      $213,150. In addition, two OMs approved three invoices totaling $130,600 without first\n      completing the required OM training. Both of these OMs also lacked a confirmation\n      letter from the Contracting Officer. The lack of OM confirmation letters and training\n      occurred because DOA has not been monitoring and periodically assessing compliance\n      with OM authorization requirements. Confirmation letters and training help to (1) ensure\n      that the OMs are fully aware of their authorities and responsibilities and (2) reduce the\n      risk of OMs approving erroneous and/or unauthorized transactions.\n\n      The APM requires that a Letter of Oversight Manager Confirmation be issued by the\n      Contracting Officer to the OM, authorizing the OM to perform a number of tasks,\n      including verifying satisfactory delivery of contract terms and/or performance, and\n      reviewing and approving invoices promptly to avoid late payments and incurred interest\n      charges. In addition, Interim Acquisition Policy No. 2007-02, dated April 12, 2007,\n      defines required competencies for OMs, and ASB has established mandatory instructor-\n      led classroom training for OMs regarding FDIC contract oversight management. An\n      important part of the training focuses on the OM role in contract administration, which\n      includes responsibilities for reviewing and approving invoices for contractor payments.\n\n\nRecommendation Related to OM Confirmation Letters and Training\n\n      We recommend that the Director, DOA:\n\n      (2) Monitor and periodically assess compliance with the FDIC\xe2\x80\x99s acquisition policy to\n      ensure that designated OMs have received confirmation letters from Contracting Officers\n      and completed required training.\n\n\nCONTRACT DOCUMENTATION\n\n      We found that for the 30 invoices sampled, the CEFile did not contain 26 invoices\n      representing about $1.7 million out of $5.7 million in contractor payments. This occurred\n      because DOA has not been monitoring OM compliance with the requirements to ensure\n      that the CEFile is current, accurate, and complete. As a result, the CEFile documents for\n      16 of the18 contracts in our sample were not up to date and cannot be relied upon as a\n      record of contract activities.\n\n      Interim Acquisition Policy No. 2004-05 indicates that the CEFile is the official contract\n      file of record. Further, DOA issued a memorandum, dated October 18, 2006, to FDIC\n      Contracting Officers and OMs, stating that maintaining the CEFile is an ongoing and\n      continuous process, and it is the responsibility of both the Contract Specialist and the OM\n\n\n                                                   8\n\x0c      to ensure that the CEFile is current, accurate, and complete. In particular, OMs are\n      required to maintain their contract-related records such as approved invoices in the\n      CEFile. OM contract administration responsibilities are performed corporate-wide.\n      Accordingly, DOA needs to monitor OM compliance with acquisition policy to ensure\n      the CEFile is current, accurate, and complete.\n\n\nRecommendation Related to Contract Documentation\n\n      We recommend that the Director, DOA:\n\n      (3) Monitor and periodically assess whether OMs record contract activities, including\n      invoices, in a timely manner to ensure the CEFile is current, accurate, and complete.\n\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\n      On September 12, 2008, DOA and DOF provided a joint written response to the draft of\n      this report. The response is provided in its entirety as Appendix 3 of this report. DOA\n      and DOF concurred with our recommendations and provided planned corrective actions\n      for each recommendation as discussed below.\n\n      Regarding recommendation 1 on segregation of duties for invoice preparation,\n      submission, and approval, DOA indicated that the OM\xe2\x80\x99s review and approval procedures\n      could be improved for invoices of the employee health benefits program. Currently, the\n      FDIC\xe2\x80\x99s contractor for administering the employee benefits program, BAS, provides the\n      employee premiums to the FDIC. The DOA Benefits Center staff then creates a separate\n      spreadsheet for the DOU showing the contract name, number, allocation codes, and\n      amounts and sends the entire package as an invoice to DOU for input into the NFE. To\n      improve segregation of duties, DOA\xe2\x80\x99s Benefits Center staff will instruct BAS to include\n      on its invoice the name and number of the contract, dollar amount allocation per budget\n      line, and total dollar amount and send the invoice directly to DOU. This new procedure\n      will be implemented by December 31, 2008.\n\n      DOF also agreed to take actions to strengthen segregation of duties controls for invoice\n      preparation, submission, and approval. DOU will implement a process by September 30,\n      2008, to follow up with OMs who receive an invoice directly from a contractor and\n      subsequently forward the invoice to the DOU for processing. DOU will reinforce to the\n      OM that contractors should submit invoices directly to DOU. Where there is a valid\n      business reason that supports a vendor invoice being first received by the program office,\n      DOF will document this exception and stress to the program office the importance of\n      maintaining appropriate segregation of duties regarding the preparation, submission, and\n      approval of invoices.\n\n      With respect to recommendation 2 on OM Confirmation Letters and Training, DOA will\n      monitor and periodically assess compliance with acquisition policy through contract\n\n\n\n                                                  9\n\x0cpost-award reviews to be conducted by DOA\xe2\x80\x99s Acquisition Services Branch. DOA\nindicated that by December 31, 2008, a contract post-award review checklist will be\ndeveloped to include a review of OM training and appointments.\n\nRegarding recommendation 3 on contract documentation, DOA will include on the\ncontract post-award review checklist being developed (by December 31, 2008) a review\nof the CEFile to ensure that all applicable documentation is included in that file.\n\nA summary of management\xe2\x80\x99s response to the recommendations is in Appendix 4. We\nconsider the planned actions to be responsive to the recommendations. The\nrecommendations are resolved but will remain open until we have determined that\nagreed-to corrective actions have been completed and are responsive.\n\n\n\n\n                                           10\n\x0c                                                                                                 APPENDIX 1\n                            OBJECTIVE, SCOPE, AND METHODOLOGY\n\n\nObjective and Scope\n\n      The audit objective was to assess the FDIC\xe2\x80\x99s controls over contractor invoice approval,\n      payment, and posting to the G/L. We conducted this performance audit from April\n      through July 2008 in accordance with generally accepted government auditing standards.\n      Those standards require that we plan and perform the audit to obtain sufficient,\n      appropriate evidence to provide a reasonable basis for our findings and conclusions based\n      on our audit objective. We believe that the evidence obtained provides a reasonable basis\n      for our findings and conclusions based on our audit objectives.\n\n      The scope of the audit was the contractor invoices processed in the NFE Accounts\n      Payable Module for the 6-month period of October 1, 2007 through March 31, 2008. The\n      scope was limited to EFT and check payments for FDIC contractor invoices. We\n      obtained information regarding these contractor payment transactions from a query of the\n      NFE Accounts Payable Module.\n\n\nMethodology\n\n      To accomplish our objective, we:\n\n      \xe2\x80\xa2   Judgmentally selected 30 invoices out of the 1,148 total invoices processed through\n          the NFE Accounts Payable Module during the period of October 1, 2007 through\n          March 31, 2008. 6 Our sample included invoices from six FDIC divisions, the\n          Division of Resolutions and Receiverships (DRR), Division of Insurance and\n          Research (DIR), DOA, Division of Information Technology (DIT), Legal Division,\n          and the FDIC\xe2\x80\x99s Corporate University. These invoices were for contracts managed by\n          both FDIC Headquarters and the Dallas Regional Office. The selected invoices\n          ranged from over $1 million to less than $2,000.\n\n      \xe2\x80\xa2   Interviewed the OMs for each of the 18 contracts associated with the 30 invoices in\n          our sample. Examined OM files and reviewed the OM procedures for reviewing and\n          approving FDIC invoices. Obtained documentation on OM confirmation letters and\n          training requirements. We reviewed electronic documents stored in the CEFile, as\n          well as working documents stored separately by the OMs to assist with their review\n          and approval of invoices.\n\n      \xe2\x80\xa2   Examined each invoice to determine whether the OMs had carried out their\n          responsibilities related to invoice review as described in their letters of confirmation.\n          Key responsibilities include receiving and accepting deliverables, verifying\n          satisfactory contract performance before approving invoices for payment, reviewing\n          and approving invoices promptly to avoid late payment interest charges, and ensuring\n          that the dollar values of invoices do not exceed the expenditure authority.\n      6\n       The results of a non-statistical sample cannot be projected to the intended population by standard\n      statistical methods.\n\n\n                                                           11\n\x0c                                                                            APPENDIX 1\n\n\n\xe2\x80\xa2   Queried the CEFile to verify whether the following contract documentation related to\n    the sampled invoices was included in the files: OM confirmation letters, OM-\n    approved invoices, the contracts, contract modifications, and correspondence related\n    to the contract events and transactions.\n\n\xe2\x80\xa2   Reviewed the documentation stored in NFE to support the posting of the 30 sampled\n    invoice transactions to the G/L and to verify that the amounts had been paid and\n    cleared the disbursement bank.\n\n\xe2\x80\xa2   Queried the NFE Accounts Payable Module to trace invoices through the entire\n    process--from approval to the bank clearance. The key steps in this process are OM\n    invoice approval, DOF invoice input into NFE, preparation of contractor payments\n    within NFE, the posting of each transaction to the G/L, and the funding of payments\n    through payment vouchers.\n\n\xe2\x80\xa2   Verified that the 30 invoices in our sample had been paid within the required\n    timeframes of the PPA provisions regarding late payments.\n\n\xe2\x80\xa2   Considered relevant provisions of the FDIC\xe2\x80\x99s policies pertaining to the following:\n\n     o The FDIC\xe2\x80\x99s APM, which provides FDIC policy on contracting for products and\n     services.\n\n     o The FDIC\xe2\x80\x99s Circular 4010.3, FDIC Enterprise Risk Management Program,\n     which adopts the internal control standards prescribed in the GAO publication,\n     Standards for Internal Control in the Federal Government. These standards apply\n     to all operations (programmatic, financial, and compliance) and are intended to\n     ensure the effectiveness and efficiency of operation, reliability of financial\n     reporting, and compliance with applicable laws and regulations. Circular 4010.3\n     requires management to develop and implement controls to ensure that management\n     directives are carried out and to provide reasonable assurance that controls are\n     sufficient to minimize exposure to waste, fraud, and mismanagement.\n\n     o GAO\xe2\x80\x99s publication, Standards for Internal Control in the Federal Government,\n     as largely adopted in FDIC Circular 4010.3.\n\n     o DOF\xe2\x80\x99s Accounts Payable Operating Procedures Manual, which documents the\n     activities and procedures related to the FDIC\xe2\x80\x99s Accounts Payable function.\n\nWe performed our audit work at the FDIC\xe2\x80\x99s Headquarters offices in Arlington, Virginia,\nand Washington, D.C., and the Dallas Regional Office.\n\n\n\n\n                                            12\n\x0c                                                                                  APPENDIX 1\n\n\nInternal Controls\n\n      We identified the key control points in the FDIC\xe2\x80\x99s invoice payment processes. Our tests\n      addressed these key control activities:\n\n      \xe2\x80\xa2   The separation of duties between receiving, billing, and purchasing functions.\n\n      \xe2\x80\xa2   The required verification of receipt of goods and services before payments can be\n          authorized.\n\n      \xe2\x80\xa2   The required authorization (OM confirmation letters and FDIC contract oversight\n          management training) for OMs to carry out their responsibilities.\n\n      \xe2\x80\xa2   DOF\xe2\x80\x99s independent review of invoices for compliance with the FDIC\xe2\x80\x99s billing\n          policies.\n\n      \xe2\x80\xa2   DOF\xe2\x80\x99s review for suspect invoices prior to payment processing.\n\n      \xe2\x80\xa2   DOF managerial review and approval of funding payments.\n\n\nReliance on Computer-processed Information\n\n      In performing this audit, we relied on data from the NFE and CEFile. We confirmed the\n      accuracy of the data through tracing to source documents and considered the\n      reasonableness of data such as electronic timesheets of hours charged on invoices.\n\n\nPerformance Measurement\n\n      We reviewed the FDIC\xe2\x80\x99s 2008 Annual Performance Plan and found that it did not\n      contain specific goals, objectives, or performance measures that were relevant to our\n      audit. We did note that DOF maintains a Balanced Scorecard to track initiatives, targets,\n      and accomplishments. The Balanced Scorecard for 2007 indicates a number of\n      accomplishments that enhance the controls over contractor invoice approval, payment,\n      and posting processes:\n\n          \xe2\x80\xa2   Under Internal Operational Excellence, DOF had an objective of continuous\n              improvement. In 2007, the target of having all hard copies of contractor invoices\n              scanned into NFE and electronically routed to the OM had been accomplished.\n              Procedures have been written, and new contracts are being written to encourage\n              vendors to submit invoices electronically.\n\n          \xe2\x80\xa2   Under Promoting Financial Stewardship, DOF has completed a formal program\n              of post-payment controls, reviews, and monitoring and incurred only $1,982 in\n              interest related to the PPA for 2007.\n\n\n                                                  13\n\x0c                                                                                   APPENDIX 1\n\n\nCompliance with Laws and Regulations\n\n      The following laws and regulations are relevant to the FDIC\xe2\x80\x99s controls over contractor\n      invoice approval, payment and posting to the G/L:\n\n      \xe2\x80\xa2   The Federal Managers\xe2\x80\x99 Financial Integrity Act (FMFIA) (31 United States Code\n          3512, subsection (b)) states the head of each executive agency shall establish and\n          maintain systems of accounting and internal controls that provide complete disclosure\n          of the financial results of the activities of the agency and adequate financial\n          information the agency needs for management purposes. In addition, FMFIA\n          requires the head of each executive agency to establish internal accounting and\n          administrative controls that reasonably ensure that (1) obligations and costs comply\n          with applicable law; (2) all assets are safeguarded against waste, loss, unauthorized\n          use, and misappropriation; and (3) revenues and expenditures applicable to agency\n          operations are recorded properly so that accounts and reliable financial and statistical\n          reports may be prepared and accountability of assets may be maintained. While the\n          FDIC is not an executive agency for purposes of the FMFIA, provisions of the\n          FMFIA became applicable to the FDIC via the Chief Financial Officers Act of 1990,\n          described below.\n\n      \xe2\x80\xa2   The Chief Financial Officers Act of 1990 (CFOA) requires that government\n          corporations such as the FDIC submit an annual management report to the Congress\n          that includes a statement on internal accounting and administrative control systems by\n          the head of the management of the corporation, consistent with the requirements for\n          agency statements on internal accounting and administrative control systems under\n          the amendments made by the FMFIA. CFOA also requires the Inspectors General to\n          audit their agencies\xe2\x80\x99 financial statements unless the GAO conducts the audit instead.\n\n      \xe2\x80\xa2   The Federal Deposit Insurance Act (FDI Act), section 17(e), requires that the\n          financial transactions of the FDIC be audited by the GAO in accordance with the\n          principles and procedures applicable to commercial corporate transactions and under\n          such rules and regulations as may be prescribed by the Comptroller General of the\n          United States.\n\n      \xe2\x80\xa2   Two Office of Management and Budget (OMB) Circulars related to internal controls\n          and financial management systems were issued to guide agency compliance with\n          FMFIA.\n\n             o Circular No. A-123, Management\xe2\x80\x99s Responsibility for Internal Control, notes\n               the provisions of FMFIA regarding internal controls, then specifies\n               requirements for assessing internal control, correcting internal control\n               deficiencies, and reporting on internal control. The circular\xe2\x80\x99s high-level\n               discussion does not prescribe specific control or assessments for a particular\n               type of account, but the circular's principles are applicable to all types of\n               agency internal control.\n\n\n\n\n                                                   14\n\x0c                                                                             APPENDIX 1\n\n\n       o Circular No. A-127, Financial Management Systems, deals with financial\n         management systems, i.e., systems that can be used for processing and reporting\n         data about financial events; supporting financial planning or budgeting activities;\n         accumulating and reporting cost information; or supporting the preparation of\n         financial statements. Financial management systems form a portion of the\n         management control structure required by Circular No. A-123. Circular\n         No. A-127 has a number of provisions addressing the U.S. Government Standard\n         General Ledger and on the internal control aspects of financial management\n         systems, among other things. The circular includes various requirements for\n         systems as well as related agency responsibilities, to include the development of\n         financial management inventories, plans, reviews, and directives.\n\n           Circular No. A-127 also references OMB Circular No. A-130, Management of\n           Federal Information Resources, indicating that the circular applies to all agency\n           information resources, including financial management systems as defined in\n           Circular No. A-127. Circular No. A-130 addresses various issues related to\n           information technology systems, as well as paper-based systems.\n\n    The FDIC has determined that to the extent that Circulars No. A-123 and No. A-127\n    articulate the standards of FMFIA, the FDIC should adhere to those standards.\n    Moreover, the FDIC is not bound by the letter of the circulars, but as long as the FDIC\n    develops internal controls that are consistent with the goals of FMFIA, the FDIC will\n    have met its legal obligations. Most provisions of Circular No. A-130 apply to the FDIC.\n\n\xe2\x80\xa2   The PPA and/or its implementing regulations (5 C.F.R. Part 1315), require generally that\n    agencies pay vendor invoices timely and include interest in their payments if (1) payment\n    is made after the contractual due date or due date established by the regulations, as\n    appropriate, or (2) if agencies claim discounts beyond the indicated discount period. We\n    refer to these provisions as the \xe2\x80\x9clate-payment provisions.\xe2\x80\x9d The Act or the regulations\n    also contain detailed requirements for invoice content, receipts of goods and services, and\n    contract documentation. According to the regulations, agencies should pay invoices\n    close to, but not later than, the applicable due dates. Moreover, agencies should have\n    adequate controls governing the payment process, consistent with OMB Circular\n    Nos. A-123 and A-127 as discussed above.\n\nThe FDIC has determined that the Act is applicable to invoices relating to the FDIC in its\ncorporate capacity but generally not its receivership capacity unless contract terms are to the\ncontrary.\n\nWe assessed DOA\xe2\x80\x99s and DOF\xe2\x80\x99s internal controls and practices for invoice approval,\npayment, and posting payment transactions to the G/L for consistency with the above laws\nand regulations, although we limited our assessment of the PPA to late payment provisions.\n\nWe assessed the risk of fraud and abuse related to the audit objective in the course of\nevaluating audit evidence.\n\n\n\n\n                                             15\n\x0c                                                                                 APPENDIX 2\n                               SAMPLED INVOICES\n\n\n                                                        FDIC\n                    Invoice           Invoice          Contract\nFDIC Division       Number            Amount           Number             OM Location\nCorporate\nUniversity      2107                   $21,932.70   CORHQ0893        Headquarters\nCorporate       FDIC2008-01-\nUniversity      101                     $1,787.50   CORHQ178         Headquarters\nDIR             FDIC55                  $3,360.00   CORHQ1011        Headquarters\nDIR             FDIC56                  $3,680.00   CORHQ1011        Headquarters\nDIR             07-004                  $9,416.67   CORHQ1022        Headquarters\n                028-\nDIT             0002045571          $1,634,809.42   CORHQ680         Headquarters\n                031-\nDIT             0002061105          $1,223,357.56   CORHQ680         Headquarters\nDIT             FDAD0907             $442,695.16    CORHQ896         Headquarters\nDIT             FDAD1207             $688,108.30    CORHQ896         Headquarters\nDIT             400439                 $85,252.62   CORHQ904         Headquarters\nDOA             25432                  $22,690.79   CORHQ802         Headquarters\nDOA             25506                  $50,961.22   CORHQ802         Headquarters\n                METLIFE-\nDOA             PP02-08              $192,129.45    CORHQ906         Headquarters\nDOA             VSP-PP21-07            $30,719.75   CORHQ919         Headquarters\nDOA             KC00683625           $133,592.73    CORHQ987         Headquarters\nDOA             KC00688644           $214,746.14    CORHQ987         Headquarters\nDRR             278440                 $32,100.00   CORFD120         Dallas Regional Office\nDRR             07-F-009-A             $35,310.99   CORFD189         Headquarters\nDRR             08-F-002-A             $14,785.00   CORFD189         Headquarters\nDRR             2785.84-022908          $2,785.84   CORFD205         Dallas Regional Office\nDRR             401676                 $21,246.00   CORFD285         Headquarters\nDRR             8000574104           $292,384.07    CORFD313         Dallas Regional Office\nDRR             8000574104B         *($22,384.07)   CORFD313         Dallas Regional Office\nDRR             8000574104D            $22,384.07   CORFD313         Dallas Regional Office\nDRR             8000608194           $356,362.35    CORFD313         Dallas Regional Office\nDRR             401680                 $12,468.97   CORFD317         Headquarters\nDRR             201-1225               $36,366.00   CORFD42          Dallas Regional Office\nDRR             201-1234               $36,366.00   CORFD42          Dallas Regional Office\nLegal           083681                 $14,580.96   CORHQ135         Headquarters\nLegal           3373810827             $95,797.34   CORHQ979         Headquarters\n                Total             $5,709,793.53\n  Source: OIG Analysis of NFE payment transactions processed from October 1, 2007 through\n  March 31, 2008.\n\n  *This amount was deducted from the invoice because the OM initially deemed that travel expenses\n  were not allowed under the contract for this invoice. However, the OM subsequently determined\n  that the travel expense was allowable on the contract and approved the billed travel expense.\n\n\n\n\n                                            16\n\x0c                       APPENDIX 3\n\nCORPORATION COMMENTS\n\x0c     APPENDIX 3\n\n\n\n\n18\n\x0c     APPENDIX 3\n\n\n\n\n19\n\x0c                                                                                                      APPENDIX 4\n                       MANAGEMENT RESPONSE TO RECOMMENDATIONS\n\n\n\nThis table presents the management response on the recommendations in our report and the status of the\nrecommendations as of the date of report issuance.\n\n      Rec.     Corrective Action: Taken or             Expected    Monetary      Resolved:a     Open or\n      No.                Planned                      Completion   Benefits      Yes or No      Closedb\n                                                         Date\n        1     DOA\xe2\x80\x99s Benefits Center staff will        12/31/2008       NA            Yes          Open\n              instruct BAS, the contractor for\n              administering the employee\n              benefits programs, to include the\n              required information on the\n              invoices for the program and send\n              the invoices directly to DOF.\n\n              DOF will implement a process to         09/30/2008\n              follow up with OMs who receive\n              an invoice directly from a\n              contractor and forward the invoice\n              to DOF for processing. DOF will\n              reinforce to the OM that contractors\n              should submit invoices directly to\n              DOF. If there is a valid reason for\n              a vendor invoice being first\n              received by the program office,\n              DOF will document this exception\n              and stress to the program office the\n              importance of maintaining\n              segregation of duties for invoice\n              preparation, submission, and\n              approval.\n\n        2     DOA will include a review of OM         12/31/2008       NA            Yes          Open\n              training and appointments on a new\n              review checklist for contract post-\n              award reviews to be conducted for\n              contract compliance.\n\n        3     DOA will also include on the            12/31/2008       NA            Yes          Open\n              contract post-award review\n              checklist a CEFile review to ensure\n              that all contract documentation is in\n              the files.\n a\n     Resolved \xe2\x80\x93 (1) Management concurs with the recommendation, and the planned, ongoing, and completed\n                 corrective action is consistent with the recommendation.\n                (2) Management does not concur with the recommendation, but alternative action meets the intent\n                 of the recommendation.\n                (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary\n                 benefits are considered resolved as long as management provides an amount.\n b\n   Once the OIG determines that the agreed-upon corrective actions have been completed and are responsive to the\n recommendations, the recommendations can be closed.\n\n\n\n\n                                                            20\n\x0c                                                        APPENDIX 5\n                ACRONYMS USED IN THE REPORT\n\n\n\nAPM       Acquisition Policy Manual\nASB       Acquisition Services Branch\nBAS       Benefits Allocation Specialists\nCEFile    Contract Electronic File\nCFOA      Chief Financial Officers Act of 1990\nC.F.R.    Code of Federal Regulations\nDIR       Division of Insurance and Research\nDIT       Division of Information Technology\nDOA       Division of Administration\nDOF       Division of Finance\nDOU       Disbursement Operations Unit\nDRR       Division of Resolutions and Receiverships\nEFT       Electronic Funds Transfer\nFASAB     Federal Accounting Standards Advisory Board\nFASB      Financial Accounting Standards Board\nFDI Act   Federal Deposit Insurance Act\nFMFIA     Federal Managers\xe2\x80\x99 Financial Integrity Act\nGAAP      Generally Accepted Accounting Standards\nGAO       Government Accountability Office\nG/L       General Ledger\nNFE       New Financial Environment\nNSCU      NFE Servicing and Control Unit\nOIG       Office of Inspector General\nOM        Oversight Manager\nOMB       Office of Management and Budget\nPPA       Prompt Payment Act\n\n\n\n\n                                  21\n\x0c"